I’ve noticed that we’re not always very good at determining the root cause of compliance problems. We’re better at spotting the problem, writing it up, and citing the law or regulation that was violated. Then it gets fixed.

And then next year—or next quarter—it happens again.

Root cause analysis sounds complex. But it is simply a dogged, systematic process for finding the true reason behind a compliance problem. Effort is required to dig deeper into the matter beyond the apparent surface explanation for the deficiency.

Where and how the bureau digs

The Consumer Financial Protection Bureau’s (CFPB) consumer compliance examination procedures require that in the event that their examiners identify violations of law they must determine the root cause of the violation.

That root cause, along with other factors, is considered in evaluating the appropriate corrective action that should be taken with respect to the institution.

When the root cause is tied to a critical weakness in one or more aspects of the institution’s compliance management program, the severity of the issue is elevated.

And so is the supervisory concern.

The other noteworthy mention of root cause analysis in CFPB’s examination procedures is in the evaluation of an institution’s consumer complaint management process.

CFPB looks at whether an institution’s evaluations of consumer complaints include “a comprehensive root cause analysis to assess why a particular law violation or error occurred” and whether “evaluations of root cause analysis are used in corrective action, such as modifying policies, procedures, training, monitoring, and/or other appropriate business adjustments.”

Analysis helps on business side too

Root cause analysis is not just for consumer complaints. It should be part of all compliance monitoring and review.

Experienced bank auditors are much more familiar with root cause analysis, but compliance staff will find it helpful. There are different methodologies for conducting root cause analysis that involve such tools as “logic trees” and “fishbone diagrams.”

However, probably the easiest and most common method for root cause analysis is the “5 Why’s Method.”

The “5 Why’s” entails asking the question “why?” five or more times to drill down to the ultimate reason that the problem occurred.

Write down the problem. Ask why.

Write down the answer. Ask why again.

Keep going until you have a root cause—and don’t let an early, believable answer keep you from continuing to ask why. Too often we stop at the first and easiest “why” and miss the ultimate answer.

In addition to asking why five times, or using another method to determine the root cause of a compliance problem, combine that with data or metrics to support the process. The data will help quantify the scope and severity of the problem and help put the focus on resolution.

Demonstrating digging for the roots

Let’s take a basic example: violations of the Regulation B adverse action notification provision. The requirement is to provide notice to denied applicants within 30 days of receipt of a completed consumer loan application.

1. Whyare written adverse action notices not being provided to consumers within 30 days of receipt of a completed loan application?

Loan administrators in X number of offices failed to send out the notices by the deadline.

2. Whydid the loan administrators in those offices fail to send out the notices by the deadline?

The loan administrators were interviewed and claimed that they were not aware of the 30-day deadline.

3. Whywere those loan administrators not aware of the 30-day deadline?

Training materials in those offices related to Reg B adverse action notification requirements were reviewed and found to be confusing. They appeared to indicate that loan administrators should try to send notices promptly upon making a credit decision.

4. Whywere training materials written to indicate that notices should be sent promptly upon making a credit decision instead of within 30 days of receiving a completed application?

Some training materials turned out to be outdated and had not been replaced with the newer, more current accurate training materials.

Here you have a root cause: The bank has no control mechanism in place to document the necessary periodic updates to compliance training materials throughout the organization. Such a process ensures that all appropriate staff departments receive updated training materials—and that obsolete training information is destroyed.

Follow through to the end

Throughout the process it is helpful to understand the number of offices, loan administrators, consumers, and notices are affected in order to understand fully the impact of the issue when you finally get to the root cause.

But, if you don’t do the full analysis, you’ve only taken part of the journey. You might as take it all the way.

"Lucy and Nancy’s Common Sense Compliance” is blogged by both Lucy Griffin and Nancy Derr-Castiglione, both Banking Exchange contributing editors on compliance. Nancy, a Certified Regulatory Compliance Manager, is owner of D-C Compliance Services, an independent regulatory compliance consulting services business that has provided expertise in compliance training, monitoring, risk assessment, and policies and procedures to financial institutions since 2002. Previously, Nancy held compliance positions with Bank One Corporation and with United Banks of Colorado. In addition to serving as a Contributing Editor of Banking Exchange, Nancy has served on the ABA Compliance Executive Committee; National and Graduate Compliance Schools board; conference planning committees, and the Editorial Advisory Board for the ABA Bank Compliance magazine. She can be reached at [email protected]